Enterprises all over the world struggle to maximize the efficiency of their security and threat identification processes. Security teams within enterprises usually work in a bubble. They cannot reveal publicly that they are under threat without compromising the reputation of the organization, and therefore cannot ask for help or tap into the knowledge of security teams in other companies who may have already dealt with the same threat, and could help them quickly remedy it.
This is where ServiceNow comes into the picture. In a revolutionary step toward improved threat handling and security management, ServiceNow included Threat Intelligence and Trusted Security Circles – two applications that change the game in enterprise security.
Finding Indicators of Compromise through Threat Intelligence
The Threat Intelligence application helps security teams identify IoCs or indicators of compromise and utilize this threat intelligence data to bolster security incidents.
The application performs as a point of reference for, and access to threat intelligence data, aka STIX data (Structured Threat Information Expression). STIX data works seamlessly with TAXII profiles (Trusted Automated Exchange of Indicator Information) to create a structured system for cyber threat information reportage and descriptions.
Using STIX and TAXII, a threat professional can easily isolate a cyber threat and find out whether the threat incident at hand has happened before, both within the company and from other trusted sources, and therefore use the shared threat information to find out how to go about remediation. Without TAXII, widespread sharing of threat data would be impossible.
The Need for Shared Threat Data
ServiceNow’s Trusted Security Circles is such an important application because it prevents security teams from working blind anymore.
Using Trusted Security Circles, security teams can:
It is important to note that security professionals need not reveal themselves or the company they work with, when sending out a query. Queries in the circle remain anonymous, and sighting searches are carried out using suspicious observables, thereby protecting the reputations of enterprises, and preventing potential hackers from spotting vulnerabilities.
This system also guards the supply chain, because information from your trusted circle will also help you find out if a security incident being investigated is affecting enterprises at different stages in the supply chain – whether vendors, partners, suppliers, or peers.
Build Your Own Trusted Security Circles
Trusted Security Circles function exactly like a secured communication channel.
What is customizable is the level of access that different teams or people have to particular circles or channels.
There can be generalized security circles for all security professionals, as well as specialized ones for specific intra-enterprise verticals like Finance and inter-enterprise verticals like healthcare. Circles can be location-specific – open only to professionals in a particular city, or enterprise-specific – open only to the suppliers of a single enterprise.
Groups of different organizations can band together to share threat intelligence, or it can be as narrow as different teams within the same division of a single organization. Circles are democratic. All you need to join is a valid organizational profile, and whenever a query is sent out, every single member of the Circle receives a notification.
Running a Search for Threat Data
Using Threat Intelligence, you can do a sightings search for observables, which are network or OS artifacts that indicate that an intrusion event could have occurred. Observables can be URLs, IP addresses, domain names, or MD5 hashes of malware files.
Within your Trusted Circle, you can then share the observable, thereby sharing all local sightings of that observable. When you run a Sightings Search, you can select a single or many observables and define the time frame of the security incident. You will receive a Security Incidents Observables list with all your results.
With these tools, you will be able to determine the prevalence of a threat over time or test remediation and eradication efforts. You can then share this information with your Circle members, thereby contributing to the growth in global shared threat information knowledge.
There is no better way to improve threat prioritization, and build a community of trusted security professionals and a bank of global knowledge on observables and threat intelligence than with ServiceNow’s Trusted Security Circles, and no easier way to organize, reference, and access threat data than the Threat Intelligence application. If you are interested in integrating your system with these tools from the ServiceNow platform, please contact us. We at abhra Inc. are skilled ServiceNow implementation partners for all its modules and services.
Description: Access community-sourced threat data and improve threat response time with ServiceNow.